Presentation is loading. Please wait.

Presentation is loading. Please wait.

Migration of Internal Control Requirements to State Governments: Are You Ready? Dr. Sridhar Ramamoorti, Partner National Corporate Governance Group.

Published byRobert Hurst Modified over 10 years ago

Similar presentations

Presentation on theme: "Migration of Internal Control Requirements to State Governments: Are You Ready? Dr. Sridhar Ramamoorti, Partner National Corporate Governance Group."— Presentation transcript:

1 Migration of Internal Control Requirements to State Governments: Are You Ready? Dr. Sridhar Ramamoorti, Partner National Corporate Governance Group Christian Fuellgraf, Director Global Public Sector

2 Presentation & Discussion Overview
Why does the migration of internal control requirements to state government seem inevitable? Should it be? What have we learned from the experience with OMB A-123 and SOX 404? What can you do to prepare and be "in control"? Audience Q & A We will Share valuable lessons learned and best practices Offer strategies for overcoming key change management issues associated with sustaining a robust internal control program

3 Fundamental Insight: Change is on the Horizon!
"It is the species most perfectly adapted to its environment that is the first to perish when the environment changes." --Sir Arnold Toynbee, Professor of History, Oxford University

4 Internal Control Overview

5 Internal controls defined – COSO 1992, 2004
Internal control is broadly defined as: "a process, effected by an entity's board of directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Objective/Strategy setting Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations" The Committee of Sponsoring Organizations of the Treadway Commission Internal Control — Integrated Framework Include examples of effective IC’s

6 Grant Thornton’s point of view on internal controls
What it is……… What it isn’t……… A Blueprint for better and more efficient fiscal, program and technology management A Methodology to ensure fiscal accountability and safeguard public assets An Approach that aligns an organization’s process and procedures to reporting, rules and legal requirements A set of Standard Practices to provide reasonable assurance of the integrity of all fiscal processes A Means to creating greater visibility and confidence by legislative leadership, opinion leaders and stakeholders into the fiscal and operational integrity of an agency A static, quick solution to long-term problems A panacea for every fiscal or management problem A replacement for solid managers or management A perfect, one size fits all, out of the box solution A computer application Analogy to immune defense system…breakdowns Waste, abuse…and even fraud!

7 Internal controls are a means to manage risk
Internal control is a means of managing the risk associated with programs and operations – done properly they are widely accepted and followed. Most employees, and even interested third parties, welcome better internal controls Internal controls comprise both a structure and a systematic methodology to help financial, technology and program managers achieve their mission results and safeguard the integrity of their programs

8 Internal controls framework (COSO, 1992; 2004; 2006)

9 Internal controls in State government

10 Migration to formal internal control structures
Given their fiduciary status with respect to the public, States intuitively recognize the importance of internal controls With increased emphasis on transparency and accountability States are moving to a more formal "SOX-lite" structure Organizational and accountability structure as well as internal audit and review are both critical success factors – need integration

11 Why internal controls in state government
Fulfill campaign promises to improve government operations and eliminate fraud waste and abuse Effective internal control programs will save dollars for agencies Superior risk identification and mitigation Back office system upgrades and replacements Better operational and financial management brings many rewards Increased public, media and other stakeholder confidence Increased legislative support Redundancy of procedures Ineffective procedure elimination Updated processes IT system upgrades Hard dollar savings and cost avoidance Bond ratings

12 MONITORING: The riskresponsemonitorcorrect cycle
Forthcoming COSO monitoring guidance Monitoring (Steps 3-5) Operations Financial Reporting Compliance 1. Identify & Prioritize Risks to Achieving Objectives Info & Communication (All Steps) 2. Design & Implement Response to Risk Control Activities (Step 2) 5. Take Necessary Corrective Action Risk Assessment (Steps 1 & 3) Control Environment (All Steps) 3. Identify & Prioritize Monitoring Needs 4. Design & Implement Monitoring Procedures

13 Lessons Learned About Designing, Implementing and Sustaining Internal Controls

14 Best practices for internal control implementations
Structure Promotes accountability of public agency resources, programs and funding People committed to stewardship and technical excellence People Process Technology Responsible use of technology tools Integration of financial, non-financial data Effective analytical capability Be proactive when implementing ERP Fiscal, and services data integrity Improved clarity and consistency in fiscal reporting and process Proactive indicators of problems Ability to react based on problem identification S+P+P+T= robust and effective internal controls

15 Leadership Endorsement of Internal Controls
Governor - it is all about the tone at the top CFO – Comptrollers, Budget Directors, Auditors, Treasurers (NASACT*) CIO – this is not just about assets, it is about information! Cabinet members – agency leadership must be involved and show active executive support Legislature – not unlike a board of directors CAE- Review by internal auditors Reconfirmation of internal control operating effectiveness

16 Lessons learned from successful internal controls implementations
Management’s approach must be positive – so its employees are positive Obtain management commitment and ownership Train staff early to understand why and how The number of key controls is the primary cost driver Eliminate the silos (setting up a PMO may be necessary) Take an ERM approach to obtain a holistic view Sole reliance on independent tests of controls is the “high cost” approach Perform gap analysis and get outside assistance scheduled early Software is not the "cure-all" – need human intervention and staff involvement Plan for long-term sustainability - this is a continuous process Some first-year adopters started too late and had difficulty meeting deadlines. Some experienced delays in system implementations and accounting consolidations. Others found their merger integration plans affected. Still others experienced resource shortages. Many reported that angst existed between management and auditors. The root cause of many of these issues was starting too late. Estimates to complete the work were grossly underestimated, from the beginning and throughout the process. For most first adopters, there were too many fire drills. Guidance was issued too late, so first adopters operated for a long time without a clear articulation of the task. The lack of a risk-based approach led to huge subjective scope creep. Documentation took longer than anyone expected. Too many agencies tested too many controls. This area should be a prime focus of attention during the second year. A top-down, risk-based approach is best practice. The top-down approach evaluates the control environment and general IT controls first, rather than as an afterthought. Under a risk-based approach, management should ensure that the agency’s risk assessment process is effective in considering quantitative and qualitative factors. Filtering to determine the key controls is important, as not all controls need be tested. The criticality of the controls to achieving financial reporting assertions is an important consideration. Internal control evaluation is not a “one size fits all” approach. The “reasonable assurance” standard implies “a range of acceptable conduct,” suggesting the potential for different approaches given an agency’s facts and circumstances. For example, independent tests are only one source of evidence. Self-assessment and agency-level and process-level monitoring are other sources of evidence and should be deployed as an integral part of a balanced testing plan. A balanced approach is the preferred approach. For example, the quality of financial reporting improved as control deficiencies were remediated. The CFO and the finance function improved their influence and stature in the organization and with the political leadership and outside interested parties. Oversight and Audit Committees were more engaged and supportive of finance. Not only did a lot of people at all levels get educated about risks and controls, there is now more discipline around internal controls at many organizations. A lack of experienced resources affected everyone. Resources are expected to continue to be scarce over the next 12 months. The tone at the top is important.

17 Challenges each state and agency will face
Potentially difficult requirement Would prefer one attempt to get it right Stakeholder buy-in and managing expectations Resource issues Staff levels and availability Staff familiarity and experience with internal controls Appropriately customized IT systems and infrastructure Funding for outside support Decentralized or large operating environments have special considerations Extent of autonomy with strength and role of a central office Extent of uniformity or existence of processes Utilization or adoption of controls particularly across regions or divisional boundaries

18 Opportunities Effective internal control programs will save dollars
Superior risk identification and mitigation Increased public, media and other stakeholder confidence Increased legislative support Internal controls are the very DNA of enterprises--analogy to immune defense systems Redundancy of procedures Ineffective procedure elimination Updated processes IT system upgrades Hard dollar savings and cost avoidance

19 Fundamental Insight: Create Your Own Future!
Planning without Action is FUTILE, but Action without Planning may be FATAL!

20 Conclusion Thank you!

21 Appendix Additional information

22 About Grant Thornton 5th largest of the global accounting and consulting firms More than 25,000 professionals around the world 50 Offices in the United States Recognized thought leader in the implementation of internal controls across government and industry COSO commissioned Grant Thornton to develop guidance to help organizations monitor the quality of their internal controls systems. Global Public Sector Consulting Practice based in Alexandria, VA Recognized as a leader in the implementation of internal controls at federal agencies.

23 Internal controls defined
Internal control is broadly defined as: "a process, effected by an entity's board of directors, management, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations" The Committee of Sponsoring Organizations of the Treadway Commission Internal Control — Integrated Framework Include examples of effective IC’s

24 Evolution of Internal Controls: "Greedy algorithm"
COSO Framework 1985 Sarbanes Oxley 2002 State Governments 2006 and on… Budget and Accounting Procedures Act of 1950 FDICIA 1991 FMFIA 1982 IG Act 1978 CFO Act 1990 FFMIA 1996 FISMA 2002 OMB A-123 2004 OMB A-123 1981 OMB A-123 1995 OMB Q&A 1984 CFO Council Implementation Guide 2005 GAO Green Book 1983 GAO Green Book 1999

25 Additional lessons learned
What lessons have adopters learned that would be of interest to agencies complying with ARMICS requirements • It is never too early to begin the process - Some first-year adopters started too late and had difficulty meeting deadlines. Some experienced delays in system implementations and accounting consolidations. Others found their merger integration plans affected. Still others experienced resource shortages. Many reported that angst existed between management and auditors. The root cause of many of these issues was starting too late. • It will always take longer than you think - Estimates to complete the work were grossly underestimated, from the beginning and throughout the process. For most first adopters, there were too many fire drills. Guidance was issued too late, so first adopters operated for a long time without a clear articulation of the task. The lack of a risk-based approach led to huge subjective scope creep. Documentation took longer than anyone expected.

26 Additional lessons learned
• The number of key controls is THE primary cost driver. Too many agencies tested too many controls. This area should be a prime focus of attention during the second year. A top-down, risk-based approach is best practice. The top-down approach evaluates the control environment and general IT controls first, rather than as an afterthought. Under a risk-based approach, management should ensure that the agency’s risk assessment process is effective in considering quantitative and qualitative factors. Filtering to determine the key controls is important, as not all controls need be tested. The criticality of the controls to achieving financial reporting assertions is an important consideration. • Sole reliance on independent tests of controls is the “high cost” approach. Internal control evaluation is not a “one size fits all” approach. The “reasonable assurance” standard implies “a range of acceptable conduct,” suggesting the potential for different approaches given an agency’s facts and circumstances. For example, independent tests are only one source of evidence. Self-assessment and agency-level and process-level monitoring are other sources of evidence and should be deployed as an integral part of a balanced testing plan. A balanced approach is the preferred approach.

27 Additional lessons learned
• There were many good things that happened. For example, the quality of financial reporting improved as control deficiencies were remediated. The CFO and the finance function improved their influence and stature in the organization and with the political leadership and outside interested parties. Oversight and Audit Committees were more engaged and supportive of finance. Not only did a lot of people at all levels get educated about risks and controls, there is now more discipline around internal controls at many organizations. • Get outside assistance scheduled early. A lack of experienced resources affected everyone. Resources are expected to continue to be scarce over the next 12 months. • Management’s approach should be positive – so its employees are positive. The tone at the top is important.

28 Sustaining an Internal Controls Program…1

29 Sustaining an Internal Controls Program…2
Prior to OMB Circular A-123, a prevalent misconception was that “getting the financial statements right” was the responsibility of the independent auditor Unfortunately, even the best audit process cannot compensate for a poor financial reporting process (GIGO: you can't make a good omelet out of bad eggs!) It falls to the policies, procedures, people and technology that management puts in place: to maintain a proper tone at the top and create a culture of excellence and integrity in which there is reasonable assurance that the financial statements are right in the first place

Download ppt "Migration of Internal Control Requirements to State Governments: Are You Ready? Dr. Sridhar Ramamoorti, Partner National Corporate Governance Group."

Similar presentations

1 Balancing SOX with Risk Based Audit Planning The Institute of Internal Auditors March 9, 2004 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy.

1 Balancing SOX with Risk Based Audit Planning The Institute of Internal Auditors March 9, 2004 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy.
No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman 2007-03-03.

No 1 IT Governance – how to get the right and secured IT services Bjorn Undall and Bengt E W Andersson The Swedish National Audit Office Oman
Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management.

Addressing Internal Controls in State ERP Systems: Being Proactive Aaron Erickson, Chief Operating Officer State of Ohio, Office of Budget and Management.
1 Implications of the Sarbanes-Oxley Act on the Public Sector 2005 NASACT Annual Conference August 15, 2005 Gail Flister Vallieres U.S. Government Accountability.

1 Implications of the Sarbanes-Oxley Act on the Public Sector 2005 NASACT Annual Conference August 15, 2005 Gail Flister Vallieres U.S. Government Accountability.
OMB Circular A-123, Appendix A

OMB Circular A-123, Appendix A
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated.

Using Internal Control to Manage Risk Mary C. Braun, CPA, CGFM Management Concepts, Incorporated.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.

Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
Effective Contract Management Planning

Effective Contract Management Planning
Strategic Meetings Management 101

Strategic Meetings Management 101
Additional Assurance Services: Other Information

Additional Assurance Services: Other Information
Program Management Office (PMO) Design

Program Management Office (PMO) Design
How to commence the IT Modernization Process?

How to commence the IT Modernization Process?
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Internal Control and Control Risk

Internal Control and Control Risk
Auditing Governance Functions

Auditing Governance Functions
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.

Post Award MUHAS, Dartmouth, UCSF Basics of Internal Controls Tuesday October 21, 2014.
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore

Similar presentations

Ads by Google